IPv6 sanity check
-
I've been trying, unsuccessfully, to turn up a network that is native IPv6 with a static WAN. I believe my issues are in the router advertisements but I'm not 100% on it.
From my pfsense box, under "Diagnostics -> Ping" I can successfully ping ipv6.google.com and my ISP gateway, however internally I can not. From a client, I can ping my pfsense box but can not ping the ISP gateway nor ipv6.google.com.
This is my first experience with IPv6 so this is definitely a learning experience. Thanks for any assistance.
Information:
-
ISP: AT&T
-
IP Block: 2001:xxxx:xxxx:6900::/56
-
First usable: 2001:xxxx:xxxx:6900::2/56
-
Gateway: 2001:xxxx:xxxx:6900::1/56
So I statically assigned the WAN interface with 2001:1890:120C:6900:2/56 and added the upstream gateway as you can see here: http://d.pr/i/gn7JxT/2v4i9YP9
On the LAN interface, I set a static IPv4 as 192.168.1.1 and then IPv6 as 2001:xxxx:xxxx:6901::1/64 - http://d.pr/i/FXmiTA/yHmtdyUd
Under DHCPv6 and RA I have the DHCPv6 server turned off for the LAN (and WAN for that matter). http://d.pr/i/bZhTuy/DY8Ayxj7
And then under RA, I have it set to Unmanaged. http://d.pr/i/9HZvj3/msv03Uab
My DNS servers are set to the ones provided by the ISP under General Setup.
So what am I doing wrong here?
-
-
Your LAN address should not be 2001:xxxx:xxxx:6901::1/64
Try 2001:xxxx:xxxx:6900:1::1/64
Your entire subnet is a /56, which are the first 56 bits
2001: = 16 +
xxxx = 16 +
xxxx = 16 +
6900 = 16 +
–------
48
-------Plus 8 bits from the 5th so your allocated range is: 2001:xxxx:xxxx:6900:00 = /56
The rest is yours to play with, so on your Lan side do this
2001:xxxx:xxxx:6900:0001 or 2001:xxxx:xxxx:6900:1
Now add the address for pfSense itself on the LAN side, we'll make it 1
2001:xxxx:xxxx:6900:1::1
And that should work.
-
I must still have something wrong. I can resolve ipv6.google.com but I can not ping it or browse to it. I've made the LAN IP 2001:xxxx:xxxx:6900:1::1 as suggested and assumed this was a /64. Is that right?
-
What have you got set up in your dhcp6 server?
It should be something like
from 2001:xxxx:xxxx:6900:1::2 to 2001:xxxx:xxxx:6900::ffff:ffff and set the RA mode to assisted.
-
This is what I have now on the DHCPv6 side and the RA is set to assisted. http://d.pr/i/nLHmPX/5bVlaMj8
Another interesting point is now I can't ping ipv6.google.com from the diagnostics interface where I could before.
-
Ok, lets' do this stage by stage.
In Diagnostics Ping, Set the Hostname to 2001:41c1:4008::bbc:1 ( BBC UK )
Protocol IPv6
Source Address WANMax Pings 3
Do you get a response?
Now, if you do, good.
Now before we go further, do you have a valid V6 address on your LAN interface?
-
I was able to ping 2001:41c1:4008::bbc:1 but I also tried ipv6.google.com again and was not able to get there.
The IP I have on my LAN interface is 192.168.1.1 for IPv4 and 2001:xxxx:xxxx:6900:1::1 for IPv6.
-
Well if you can ping the BBC address then ipv6 is working.
So now you have enabled the dhcpv6 ranges, what address(es) do you see on your PC when doing ipconfig ( if windows ) ?
-
Connection-specific DNS Suffix . : localdomain
IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6900:806a:e655:2a58:123
IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6900:ffff::7966
Temporary IPv6 Address. . . . . . : 2001:xxxx:xxxx:6900:bccd:35e8:9436:f0f2
Link-local IPv6 Address . . . . . : fe80::806a:e655:2a58:123%10
IPv4 Address. . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::2e0:b6ff:fe13:6ea2%10
192.168.1.1 -
Those addresses should be xxxx:6900:1:*
Sorry, it Looks like it might be my typo in an earlier message.
It should read from 2001:xxxx:xxxx:6900:1::2 to 2001:xxxx:xxxx:6900:1:ffff:ffff
DHCPv6 addresses on the LAN need to be in the same 64 range as the LAN address.
Once that's done then disable and re-enable the LAN port on the PC, then ipconfig and check the address is in the right 64.
Use this address to check your IPv6 with a browser.
http://ipv6-test.com/
-
Are you sure that range is correct? It's giving me a "valid range must be specified" error.
-
I changed it to: 2001:xxxx:xxxx:6900:1::2 to 2001:xxxx:xxxx:6900:1::ffff
That should work correct?
-
Yes it should, can't see instantly why it complained. I'll fire it up on my test unit as soon as I get the chance and see whats wrong.
-
No.
2001:xxxx:xxxx:6900:1::2
That will still be on the WAN subnet.
Set your WAN IPv6 address to 2001:xxxx:xxxx:6900::2/64
Set the default IPv6 gateway on that interface to: 2001:xxxx:xxxx:6900::1
That leaves 255 /64 networks to assign to inside interfaces:
2001:xxxx:xxxx:6901::/64 through 2001:xxxx:xxxx:69ff::/64
-
thanks Derelict, not enough sleep and too many work hours the last couple of weeks, silly mistakes are creeping in!
-
I have the WAN set as 2001:xxxx:xxxx:6900::2/64 and the LAN IP set as 2001:xxxx:xxxx:6901::1/64.
On the DHCPv6 page, I have the range set to 2001:xxxx:xxxx:6901::2 - 2001:xxxx:xxxx:6901::ffff.
From the Diagnostics screen, I can now ping ipv6.google.com but I still can not ping either the BBC IP listed above nor ipv6.google.com from a client machine. What am I missing?
-
What IP are you getting on the machine inside the LAN?
Check IP and default gateway. -
On the DHCPv6 page, I have the range set to 2001:xxxx:xxxx:6901::2 - 201:xxxx:xxxx:6901:ffff.
When trying to solicit help from someone remote, specific details and accuracy are important.
-
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : localdomain
IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6901::f966
IPv6 Address. . . . . . . . . . . : 2001:xxxx:xxxx:6901:806a:e655:2a58:123
Temporary IPv6 Address. . . . . . : 2001:xxxx:xxxx:6901:e023:5e95:6d44:5c7b
Link-local IPv6 Address . . . . . : fe80::806a:e655:2a58:123%10
IPv4 Address. . . . . . . . . . . : 192.168.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::2e0:b6ff:fe13:6ea2%10
192.168.1.1This is what a client is getting. Thank you all very much for your help.
-
2 things:
-
Verify that the fe80::2e0:b6ff:fe13:6ea2 address you see actually belongs to the LAN interface on your pfSense.
-
Check DNS settings, does nslookup return the expected results?
eg:
Non-authoritative answer:
Name: ipv6.l.google.com
Address: 2607:f8b0:400b:809::200e
Aliases: ipv6.google.comLastly tracert -d ipv6.google.com, see how far it gets before stopping.
-